Networking General - Discussion about hardware and software of computer networks

[Premium Dog Food]

It's a weird issue with WinBox when you have more than one network interface or something like that.

Yep, that's the key.
If you use network manager on Linux, without an IP assigned the ethernet interface won't go up and won't do anything, redirecting traffic to the loopback interface. The solution is to change the ethernet interface to "shared to other computers" and it will allow you to connect with a MAC. In my case I also have gufw that blocked the connection. If you have a local firewall in your system, disable it / add a rule or whatever.

 

[Darkholme's Dungeon]

Does anyone have a suggestion for a decent router and switch that can route and filter traffic at around 300mbits and isn't chinkshit/american? I am wondering if I need to throw a cheap intel build to diy it with pfsense. I know microtik exists but I'm not sure how decent SwOS is right now and I've been fighting the router I do have from them (Microtik hEX S).

So basically:

1. Must be non-Chinese, non-American
2. Need to be able handle peak speed of ~40mbits, with usual load of 10mbits , with filtering enabled.
3. Vlan separation is a must

 

[Premium Dog Food]

I am now using the old router I had as an additional wired access point for the other side of the house that needs reliable Internet connection instead of somewhat spotty wireless.
Do I need to do any special hardening on the main router? I was thinking of just having VLAN separation.
edit: i realized i know fuckall about the matter of VLANs
tried setting up something quick and it either doesn't work (not isolated) or it works too well (cant get access to DHCP and DNS so nothing can connect)
I also wanted to separate the IPs that connect to that AP into their own DHCP pool for further hardening but that comes later i guess
edit 2: to actually explain, i want to separate the AP with anything downstream that is connected on ether3 from anything connected to ether2 but it still needs access to ether1/pppoe
furthermore ether3 has to have its own DHCP pool

 

[Flaming Dumpster]

I know microtik exists but I'm not sure how decent SwOS is right now and I've been fighting the router I do have from them (Microtik hEX S).

SwOS is layer 2 only. It can do some very basic L3 filtering depending on the device, but it cannot do routing. The UI is a million times easier to work with than RouterOS though, all web-based and the VLAN support is... reasonable.

Here's the ACL options on my CRS309-1G-8S+

You define the VLAN table under the "VLANs" tab. Basically the same as the VLAN database in Cisco devices though doing this all in a web UI sucks vs a console where you can just copy and paste a giant table in with ease.

The "VLAN" tab defines the mode for each interface. My recommendation is that first thing you do is change all the modes from "optional" to "strict". Optional with the default VLAN Receive of "any" will send and receive all tagged and untagged traffic without regard for memberships you define in the VLANs page. If you change it to strict + only untagged then it behaves like an access port in Cisco.

For VLAN aware devices such as WAPs and routers, I set it to strict + any or strict + only tagged based on whether untagged traffic may be present. Default VLAN ID just defines the ID to tag untagged traffic.


For routing, either figure out RouterOS or use a software router like OPNsense. With OPNsense you can create VLAN interfaces so you can do routing and shit

edit: i realized i know fuckall about the matter of VLANs

In their most basic form, VLANs are just a way to segment traffic within a switch based on a "tag" in an Ethernet frame header. You have tagged and untagged traffic, where untagged traffic lacks the VLAN ID in the frame header, but it can be applied by a switch so that anything downstream of the port is none-the-wiser to the VLAN tagging, but switches can still segment traffic.

Tagged traffic of course is traffic which contains the VLAN ID, and this is what you're dealing with when you have a router making decisions based on what VLAN ID it sees. Basically any router capable of working with VLANs will have the concept of creating VLAN interfaces atop a real interface.

So say hypothetically ether2 is hooked up to an L2 managed switch that can do VLAN shit, you can create a VLAN interface underneath ether2 with the ID that you want, then anything you "tag" with that ID now just hits that special VLAN interface with its own separate DHCP pool, IP space, etc.

Anyway I'm guessing you're using RouterOS based on the interface naming, but it's kinda hard to tell what the hell you're talking about and certainly what you're doing right now is not involving VLANs at all as you need to have VLAN interfaces to work with it. I know 100% you can do VLAN interfaces with ROS but I don't have a working example to share with you as I migrated away from ROS back to OPNsense.

 

[Darkholme's Dungeon]

I am now using the old router I had as an additional wired access point for the other side of the house that needs reliable Internet connection instead of somewhat spotty wireless.
Do I need to do any special hardening on the main router? I was thinking of just having VLAN separation.

What is your attack vector? Do you live behind retardation like me and have to fend off bajillions of spam attacks on every port imaginable? Or do you just want to block your IOT shit from selling your data to corps? Or do you want to isolate whatever device guests and your retard SO (if you have one) does to your shit by "accidentally" downloading thousands of gay porn wrestling videos and clicking on every phishing link possible?
There are other ways aside from VLANs since they have overhead, like isolating interfaces and bridging methods that may be more suitable.

 

[Premium Dog Food]

Anyway I'm guessing you're using RouterOS based on the interface naming, but it's kinda hard to tell what the hell you're talking about and certainly what you're doing right now is not involving VLANs at all as you need to have VLAN interfaces to work with it. I know 100% you can do VLAN interfaces with ROS but I don't have a working example to share with you as I migrated away from ROS back to OPNsense.

you are right I am a massive retard, I am using a mikrotik AX3.

Or do you want to isolate whatever device guests and your retard SO (if you have one) does to your shit by "accidentally" downloading thousands of gay porn wrestling videos and clicking on every phishing link possible?

yep. I want to isolate devices. while being frustrated and not being able to make VLANs work I tried applying some simple firewall rules but I cannot apply them to single ports because they are bridged. But I have stumbled upon this https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table which seems ideal? As I understand then I can apply firewall rules on VLANs once they are set up.
Alternatively I can unbind the ether ports from the bridge and break shit in ways I do not readily understand.
If there are simpler alternatives please enlighten my retarded self.

 

[Flaming Dumpster]

I tried applying some simple firewall rules but I cannot apply them to single ports because they are bridged

You bridged them all together? Why? You only do that if you want the other Ethernet ports on the same device to be on the same network. ROS quickstart does this to emulate how most consoomer routers work.

If you want to isolate a port, take it out of the bridge for starters then configure an address for it in IP -> Addresses. Create a new DHCP scope under IP -> DHCP Server with the IP space for your isolated network. ROS quickstart creates an interface list for LAN and you may wish to add your isolated interface to that list as otherwise I'm pretty sure the default firewall rules will totally blackhole the interface.

Firewall rules are applied in the listed order on the page. If you shove a rule in at the top which applies an action, none of the rules below it will evaluate. Enable Safe Mode before making changes so ROS auto-rollbacks any changes that cause you to lose connectivity.

 

[Premium Dog Food]

If you want to isolate a port, take it out of the bridge for starters then configure an address for it in IP -> Addresses. Create a new DHCP scope under IP -> DHCP Server with the IP space for your isolated network. ROS quickstart creates an interface list for LAN and you may wish to add your isolated interface to that list as otherwise I'm pretty sure the default firewall rules will totally blackhole the interface.

Yep I just figured this out as you posted it. Though for some reason I still can't ping the AP over ether3. (edit, i cant ping it because it's ISOLATED I am an IDIOT) I'll double check my settings.
They are bridged by default and I did not have a need to isolate them further since now. ether1 is already isolated for pppoe which leaves ether2 (bridged) for my machine and wifi (bridged) which is not an issue. ether4 is unused but bridged/disabled. ether5 is isolated for emergency access.

 

[Car Won't Crank]

you are right I am a massive retard, I am using a mikrotik AX3.

yep. I want to isolate devices. while being frustrated and not being able to make VLANs work I tried applying some simple firewall rules but I cannot apply them to single ports because they are bridged. But I have stumbled upon this https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table which seems ideal? As I understand then I can apply firewall rules on VLANs once they are set up.
Alternatively I can unbind the ether ports from the bridge and break shit in ways I do not readily understand.
If there are simpler alternatives please enlighten my retarded self.

You can still tag individual ports when they're in a bridge. As I understand, you want to keep the ports in the bridge so the router can automatically use hardware offloading. You just have to go to the Bridge tab and add the ethernet port to a list with the vlan you want it to be a part of.

 

[Slav Power]

The way I did VLANs is this:
-managed switch has LAN ports set to untagged VLAN 10
-the trunk port has tagged VLAN 10
-on the router in /interface/vlan I have a VLAN interface for the port connected to the trunk port with the appropriate VLAN
-I add this VLAN interface to my LAN bridge in /interface/bridge/port

Finally getting my hands on a managed switch helped me understand how VLANs work, and I've moved the entire LAN network to VLAN 10 where I forget I'm running on a VLAN. In short, when you tag a port, for a device to connect to that VLAN tag, it needs to have it explicitly declared. If it's untagged, then the end device tries to connect it as usual but the switch/router then tags that traffic to be passed further. A trunk port is basically a consolidation of all tagged VLAN's to be split up on the router.

In MikroTik you use /interface/vlan for that, and if you have a Realtek NIC on Windows for example, you use Realtek's Ethernet Diagnostic Utility to create a new virtual device with a set VLAN, or if you're fine with restricting your network interface to just that VLAN, you can set it directly in Windows. Linux has it's own methods of creating virtual VLAN interfaces but the idea stays the same, you have to explicitly declare that VLAN tag on the end device. As for trunk ports and MikroTik, you choose a port on your switch. You set all the VLANs you want to pass to the router as tagged on that port. You plug the router into that port. Then in /interface/vlan you add all the VLANs on that port. Then you use those interfaces as if they were regular Ethernet interfaces, so you can assign them to bridges, filter them, whatever.

Another example of how I utilized those VLANs is I've set up a separate VLAN for the IPTV decoder. On the switch it's set to untagged on the port in which it's plugged in and tagged on the trunk port. Then I have a VLAN interface set up on the router, and then that VLAN interface is bridged with VLAN interfaces on the ONT that the decoder uses for streaming. The end result is that I only have two Ethernet cables plugged into the router, one for the ONT and one for the switch, and I keep the decoder completely separate from the rest of the network where before I had to use a third port as there was no other way for me to isolate it like this with a dumb switch. Or another application is that I've made a VLAN that's cut off from other networks and the Internet, but it can see a Samba file server so that if I run something that I don't want to connect to the Internet, for example a legacy computer, but I want some form of file sharing between my network and that PC, that's how I can achieve it. It can only see that file server, so I drop something onto it from my home network, and then that computer can grab it from that same server. Think of it as an intermediary "air gap" even if it's not a network air gap per se. The computers don't see each other directly but data between them can be exchanged.

What I'm saying is that VLANs become piss easy once you get a managed switch. I got a Netgear GS108Ev4 as it was the cheapest non-chink 8-port managed switch and it works well.

 

[This User]

When my computer requests shit from my hotspot, is there a way to force my computer to ask for a TTL with a value of 64?

Because when my carrier throttles my cheeks closed they don't actually stop the device data, only the hotspot data, which I think the carrier differentiates with a TTL of 64 for device data, so I was thinking if I could just force that, could I become unthrottlable?

 

[Darkholme's Dungeon]

When my computer requests shit from my hotspot, is there a way to force my computer to ask for a TTL with a value of 64?

Because when my carrier throttles my cheeks closed they don't actually stop the device data, only the hotspot data, which I think the carrier differentiates with a TTL of 64 for device data, so I was thinking if I could just force that, could I become unthrottlable?

Windows?
Find, HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in registry and set/add
DefaultTTL (DWORD) = 64
Original link: https://gist.github.com/asheroto/942db6b331db8f070472990da6e6e1db

 

[This User]

Windows?
Find, HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in registry and set/add
DefaultTTL (DWORD) = 64
Original link: https://gist.github.com/asheroto/942db6b331db8f070472990da6e6e1db

I looked a little bit online and it looks like this used to be a thing in the past? Or at the very least there were other idiots who thought it was a thing. But I guess now carriers use deep packet inspection to parse out hotspot data from device data, not just TTL

 

[Darkholme's Dungeon]

I looked a little bit online and it looks like this used to be a thing in the past? Or at the very least there were other idiots who thought it was a thing. But I guess now carriers use deep packet inspection to parse out hotspot data from device data, not just TTL

I know what you want to do, as a matter of fact I do this very often to harden my tor setup (though it is unique...)... You could use chrome on windows 10 since it uses BoringSSL, but then you get assraped by google. The fundamental issue is that android uses boringssl, which sends traffic and it's metada different way from schannel/openssl and (maybe) windows boringssl.

You will need the following:
1) Firefox and the user agent switch extension
2) Some way to check the fingerprint to match your android device TLS 1.2/1.3 and JA4 fingerprint https://browserleaks.com/tls or https://tls.peet.ws/api/all
3) doh and ECH?
4) Something to block most of the windows system specific traffic (like updates, DNS resolver lookups)

If it decreases by 1 in TTL per hop, then just set it to 65. 65-1=64 lmao. Pretty sure your bigger issue would be device self reporting on IMPI if it does that.

My thoughts:
1) Use firefox and get the user-agent spoofer Link: https://webextension.org/listing/useragent-switcher.html and spoof user agent as a mobile device (eg: mobile firefox 145 on android)

Spoiler: Example pics

2) Set TTL to 65
3) Disable additional ciphers/curves/MACs that are non-android ones on firefox SO it'd be something like only having the following (aboutonfig)

• Ciphers: X25519, AES 128 CGM SHA 256, AES 256 CGM SHA 384,
• Curves: X25519, P256, P384, X25519 Kyber 768 (?-Newer android only iirc) (in that order)
• Signatures: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512 , rsa_pkcs1_sha256 , rsa_pkcs1_sha384 , rsa_pkcs1_sha512, ecdsa_secp384r1_sha384
• MAC: Poly1305, SHA384, SHA 256, no CBC, AEAD only.

4) Disable/block windows system DNS traffic.

Drawbacks:
1) You cannot precisely mimick boringSSL metatraffic patterns, especially not sure how to mimic GREASE. Maybe a internal uTLS proxy of sorts??
2) Some websites will be utterly broken
3) Likely to be blocked by CF at times
4) Sometimes the NSS overides, then patch and recompile.
5) Still functionally worthless if they have IEMI broadcast or other DPI methods...
I have no idea how to spoof IOS... Their boringssl fork is internal afaik so you can only match the cipher/key/mac suites...

 

[This User]

Oh sorry I didn't mean to imply that you didn't know what I wanted to do I just didn't know that it was like... An outdated idea that requires a lot more work these days.

Still that's cool that it looks like it can still be done depending on what the carrier looks for, even if it's more than I think I'm capable of. So basically in a lot of cases if they have thorough DPI or there's no IMEI response you're out of luck though right?

 

[Darkholme's Dungeon]

Oh sorry I didn't mean to imply that you didn't know what I wanted to do I just didn't know that it was like... An outdated idea that requires a lot more work these days.

Still that's cool that it looks like it can still be done depending on what the carrier looks for, even if it's more than I think I'm capable of. So basically in a lot of cases if they have thorough DPI or there's no IMEI response you're out of luck though right?

In the IMEI code two things:
1)The first 8 digits is the model and make signature of the device, from that it can be determined if it is a phone/hotspot router/tablet etc.
2) Most devices perform whats called provisioning check. When you enable a hotspot, the IMEI and BSP send out a signal to check if your plan allows for a hotspot (and usually plan details). If the return is NO, then you cannot use hotspot data.

The DPI is a bit tricky because you don't know what they're looking for. The closest 1-to-1 match is to use borring ssl, but they may just be looking for a specific portion of the ja3/ja4 hash on the TLS or other metadata identifiers. They have to walk a fine line of not annoying the 1% with special/odd devices into agitating the public opinion against them.

 

[This User]

You guys I learned how to do subnetting check this out
10.217.182.223/11

[0000 1010.110]1 1001.1011 0110.1101 1111
[0000 1010.110]0 0000.0000 0000.0000 0000
[0000 1010.110]0 0000.0000 0000.0000 0001
[0000 1010.110]1 1111.1111 1111.1111 1111

nw address: 10.192.0.0/11
bc address: 10.223.255.255/11
1st add: 10.192.0.1/11
last add: 10.223.255.254/11
hosts: 2,097,152

 

[This User]

Look VLSM too



LAN A - 110 host addresses needed

netw address: 1100 0000.1010 1000.0000 0001.0 000 0000 192.168.1.0/25
broc address: 1100 0000.1010 1000.0000 0001.0 111 1111 192.168.1.127/25
firu address: 1100 0000.1010 1000.0000 0001.0 000 0001 192.168.1.1/25
lasu address: 1100 0000.1010 1000.0000 0001.0 111 1111 192.168.1.126/25

LAN B - 45 host addresses needed

netw address: 1100 0000.1010 1000.0000 0001.10 00 0000 192.168.1.128/26
broc address: 1100 0000.1010 1000.0000 0001.10 11 1111 192.168.1.191/26
firu address: 1100 0000.1010 1000.0000 0001.10 00 0001 192.168.1.129/26
lasu address: 1100 0000.1010 1000.0000 0001.10 11 1111 192.168.1.192/26

LAN C - 29 hosts addresses needed

netw address: 1100 0000.1010 1000.0000 0001.110 0 0000 192.168.1.192/27
broc address: 1100 0000.1010 1000.0000 0001.110 1 1111 192.168.1.223/27
firu address: 1100 0000.1010 1000.0000 0001.110 0 00010 192.168.1.194/27
lasu address: 1100 0000.1010 1000.0000 0001.110 1 1110 192.168.1.222/27

LAN D - 8 hosts needed

netw address: 1100 0000.1010 1000.0000 0001.1110 0000 192.168.1.224/28
broc address: 1100 0000.1010 1000.0000 0001.1110 1111 192.168.1.239/28
firu address: 1100 0000.1010 1000.0000 0001.1110 0001 192.168.1.225/28
lasu asddress: 1100 0000.1010 1000.0000 0001.1110 1110 192.168.1.238/28


I'm starting to like doing this
Edit: LOL forgot to do point to point connection but thats just a /30 subnet mask and there's only 4 possible addresses, the two interfaces, the network address and the broadcast address

 

[Curry Teafag]

You guys I learned how to do subnetting check this out
10.217.182.223/11

[0000 1010.110]1 1001.1011 0110.1101 1111
[0000 1010.110]0 0000.0000 0000.0000 0000
[0000 1010.110]0 0000.0000 0000.0000 0001
[0000 1010.110]1 1111.1111 1111.1111 1111

nw address: 10.192.0.0/11
bc address: 10.223.255.255/11
1st add: 10.192.0.1/11
last add: 10.223.255.254/11
hosts: 2,097,152

Look Mum, 2²¹-2 hosts. Prolly gon'need a loicense for that.

On a serious note, the IPv4 stuff is super easy and fun. It's IPv6 that is freaking cumbersome in practise despite being supposedly easier in theory because of all the buttfuckery they came up with to make sure we'd never run out of address space in a world where every little thing would be an Internet device.